My app require user sign in. and only social login is available. (google/apple)
for request review, I provide test account, but when they couldn't log in due to the authentication or 2-step verification process. so my app was rejected.
(Even though I create new google account and didn't set any security settings including the 2-step verification, however the identity verification process is included)
As an old memory, I know that Facebook was able to create test accounts for review
Is there a way to create a test account without any security settings provided by Google or Apple?
Please give me an idea...
Related
Users on my platform can register with email & password.
When they wish to log back in they can use a 3rd party integration (such as Gmail) to authenticate their email.
I've seen on multiple websites (Zapier for example) that even though I authenticated with the Gmail integration, they still ask me for my original password when signing in.
Why would they need my password if they already authenticated that this is my email?
Is there any security reasons to do so or is it just to make sure that even though it is my email, that I know my password for my account?
There is no need to ask for a password if you connect with a trusted service such as Google, Facebook, Apple, Microsoft, Twitter, etc, and you are in fact delegating all security checks to the respective provider. Google, for example, based on the user's account settings would be responsible with providing the user with a 2FA challenge before logging in.
It would in fact be good UX practice to not even ask the user to create a password and some websites even decide to exclude the creation of local accounts altogether. In this case, the user can just log in with the provider without the need for a "sign up" process because all OAuth providers share the user's email address if requested so you can create the account "on the fly" as needed and personalize the experience by sending a welcome email, redirecting to a page, showing a message, etc.
That being said, you can augment the login security as much as you want with original password requests, CAPTCHA challenges, encryption, IP whitelists, hit counters, cooldown periods, etc, if you feel it's justified. Would it be needed? Probably not in most cases.
I am building an SSO system for android where I am the identity provider. And I want users to sign in from my app that will automatically log them in to google workspace (or any other enterprise application e.g salesforce). I cannot figure out what and how to send identity values from my Idp to Google workspace.
This can't be done this way round. When a user signs in to your app she can't be automatically signed in to any other application. The options that you have are:
When a user signs in to your application you can ask Google for an access token. As part of your sign-in process, you can run an OAuth flow against Google Authorization Servers and ask for proper permissions. This will allow the user to additionally log in to their Google account, consent to release information to your app and you will then get an access token that will enable you to call Google's APIs. This way your users will have to log in twice (both to your app and to Google).
You can rely on Google to log users into your app. So, Google will be the OIDC Provider and your app will only be the client. People will log in to their Google account, and you will get an ID token in return. You can use the data from the ID token to create user accounts and sessions in your app.
In the first case, you will want to have a look at OAuth flows, like the code flow. In the latter, you will need OIDC flow, e.g. the OIDC code flow.
Keeweb deployed as self hosted on kubernetes and integrated with gdrive but getting "Google hasn’t verified this app" error.
Nothing in log, follow steps - https://github.com/keeweb/keeweb#self-hosting
means exactly that. An app was created on Google cloud console. This app is being used to request consent of a user to access their data. So a consent screen has been configured.
Any app which requests data of a user, and uses sensitive scopes will need to go though the verification process with google in order to be sure that the app is secure.
Unverified apps
An unverified app is an app or Apps Script that requests a sensitive or restricted OAuth scope, but hasn't gone through the Google verification process. Users of unverified apps or your test builds might get warnings based on the OAuth scopes you're using. This is to protect users and their data from deceptive apps.
can GMAIL API be used for sending out account verification when registering to a site?
I plan to use it for email registration , verification, forgot password for transactional use
Yes it can but you may not want to unless you are using Google workspace.
To send an email using a standard google gmail account you will need to use Oauth2 and authorize the user who owns this account. Using Gmail scopes with an Oauth2 will require your application go go though a security audit. This audit is expensive and time consuming. Its up to you to decide if this is worth it or not.
You could go though the SMTP server and use something called an Apps password to authorize it. This solution would work but, google is shutting down unsave apps now and i fear that apps password will me next. If it is your only option then would be to use Xoauth2 with smtp. Which again may require that you verify the app.
If you do have a google workspace account then you could set up domain wide delegation to a service account allowing it to impersonate a user on your workspace domain. This solution would work without any issues. It would be optimal in my opinion.
I linked Google Drive from my ERP program.
Yet, from last February 20th, I can't sign in from the program.
I checked my domains from Search Console.
However, I still don't get a consent from OAuth Screen.
What should I do?
The below is the image from OAuth Consent Screen.
Unverified apps
An unverified app is a web application or Apps Script that requests a sensitive OAuth scope, but hasn't gone through the Google verification process. Users of unverified apps or your test builds might get warnings based on the OAuth scopes you're using. This is to protect users and their data from deceptive applications.
If you read the page you will see that your application has not completed the verification process as you have requested one or more of the sensitive scopes.
You have also not verified the domain
Only the developer who created the project will probably be able to login and with a limited quota. You need to wait until the application is verified before it will begin work in a production mode.